Secure Facilities and Spaces - Whole Building Design Guide

1 Secure Facilities and SpacesPresented by: Richard Cofer, Facilities Engineering Command Atlantic Capital Improvements Business LineEngineering Criteria and ProgramsNovember 20163 Unclassified: Secure Facilities and SpacesNovember 2016 Intent The intent of this presentation is to make designers aware of: Types of Secure Spaces Terminology associated with Secure Spaces Understand some basic physical security concepts Understand baseline requirements How layout can enhance the security of the Secure : Secure Facilities and SpacesNovember 2016 Secure Facilities and Spaces Secure Facilities and Spaces are designed and operated to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and : Secure Facilities and SpacesNovember 2016 Secure Facilities and Spaces are typically found in: Secure Facilities and Spaces Command Headquarters Operation Centers Admin Facilities Communication Centers Training Facilities Hangars6 Unclassified: Secure Facilities and SpacesNovember 2016 The requirements for a Secure facility or space must be established during project planning.

2 Establish an interdisciplinary planning team with local considerations to include the following: Planning Supported Command Supported Command s Security Manager Communications Security: Installation/Region N3 EngineeringProject Development PM/DM needs to proactively engage Security Manager to coordinate project requirements and design7 Unclassified: Secure Facilities and SpacesNovember 2016 The planning team must: Determine what assets require protection Understand related DoD/Service policy/regulations Understand the objectives of the system Understand the user s operational requirements Understand the operational and sustainment cost Determine the protective measures and related costs and incorporate them into the project s scope and budget.

3 Determine funding source(s) for electronic security systemsProject Development8 Unclassified: Secure Facilities and SpacesNovember 2016So What Generates the Requirement? The asset being protected: Classified Information Sensitive Compartmented Information (SCI) Special Access Program (SAP) Information Top Secret Secret Confidential Classified Communication Systems Arms, Ammunitions, and Explosives (AA&E) This presentation will focus on the Classified Information and Communications Systems9 Unclassified: Secure Facilities and SpacesNovember 2016 Top Secret Information: Top Secret is be applied to information the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.

4 Top Secret information must be stored: In a GSA-approved security container with one of the following supplemental controls: An employee cleared to at least the Secret level shall inspect the security container once every 2 hours. The location that houses the security container is protected by an intrusion detection system (IDS) with personnel responding to the alarm arriving within 15 minutes of the alarm of Classification10 Unclassified: Secure Facilities and SpacesNovember 2016 Top Secret information must be stored (continued): In an open storage area (also called a Secure room) equipped with an IDS with the personnel responding to an alarm within 15 minutes of the alarm annunciation if the area has been determined to have security-in-depth, or within 5 minutes of alarm annunciation if it has not In a vault, or GSA-approved modular vault, meeting the requirements of Federal Standard (FED-STD) 832 Levels of Classification11 Unclassified.

5 Secure Facilities and SpacesNovember 2016 Secret Information. Secret is applied to information the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. Secret information must be stored: In the same manner Top Secret information In a GSA-approved security container or vault built to FED-STD 832 specifications, without supplementary controls In an open storage, provided the senior agency official determines in writing that security-in-depth exists, and one of the following supplemental controls is utilized: An employee cleared to the Secret level shall inspect every 4 hours. An IDS with the personnel responding to the alarm arriving within 30 minutes of the alarm of Classification12 Unclassified: Secure Facilities and SpacesNovember 2016 Confidential Information.

6 Confidential. Confidential is applied to information the unauthorized disclosure of which reasonably could be expected to cause damage to the national security. Confidential information must be stored Levels of Classification In the same manner as prescribed for Top Secret or Secret information except that supplemental controls are not : Secure Facilities and SpacesNovember 2016 Sensitive Compartmented Information (SCI). A SCI is classified Secret or Top Secret information that is derived from intelligence sources, methods or analytical processes that is required to be handled within formal access control systems established by the Director of National Intelligence. SCI can only be stored, used, processed, or discussed in a Sensitive Compartmented Information Facility (SCIF)Levels of Classification14 Unclassified: Secure Facilities and SpacesNovember 2016 Special Access Program (SAP): A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

7 SAP Information can only be stored, used, processed, or discussed in a Special Access Program Facility (SAPF)Levels of Classification15 Unclassified: Secure Facilities and SpacesNovember 2016 Compartmented Area (CA) is a room, a set of rooms, or an area that provides controlled separation between the compartments within a SCIF or SAPF. Compartmented Area (CA)16 Unclassified: Secure Facilities and SpacesNovember 2016 Controlled Unclassified Information (CUI). Unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies. For Official Use Only (FOUO). A protective marking to be applied to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm to an interest protected by one or more provisions of the Freedom of Information Act (FOIA).

8 Unclassified Information17 Unclassified: Secure Facilities and SpacesNovember 2016 During working hours: Reasonable steps must be taken to minimize the risk of access by unauthorized personnel ( , not reading, discussing, or leaving FOUO information unattended where unauthorized personnel are present). After working hours: FOUO information may be stored in unlocked containers, desks, or cabinets if Government or Government-contract Building security is provided. If such Building security is not provided or is deemed inadequate, the information must be stored in locked desks, file cabinets, bookcases, locked rooms, of FOUO Information18 Unclassified: Secure Facilities and SpacesNovember 2016 Classified Information Systems: CENTRIXS: Combined Enterprise Intelligence Exchange System (Confidential) SIPRNET: Secret Internet Protocol Router Network JWICS: Joint Worldwide Intelligence Communications System (Top Secret/SCI)Terms to Know19 Unclassified: Secure Facilities and SpacesNovember 2016 PDS.

9 Protected Distribution System A signal distribution system (raceway, conduit or duct) containing unencrypted National Security Information (NSI) which enters an area of lesser classification, an unclassified area or uncontrolled (public) area must be protected according to the requirements of the current PDS to Know20 Unclassified: Secure Facilities and SpacesNovember 2016 Secure Room (Open storage area) Secure Room. An area constructed in accordance with the requirements of the DoDM Volume 3 Appendix to Enclosure 3 and authorized by the senior agency official for open storage of classified information. Controlled Access Area (CAA) A physical area such as a Building or room under physical control and where only personnel cleared to the level of the information being processed are authorized unrestricted access.

10 Restricted Access Area (RAA) A physical area such as a Building or room where only personnel cleared to the level of the information being processed are authorized unrestricted access, but does not meet all of the physical security requirements of a to Know21 Unclassified: Secure Facilities and SpacesNovember 2016 Terms to Know TEMPEST TEMPEST refers to the investigation, study, and control of Compromising Emanations of National Security Information (NSI) from telecommunications and information processing systems. TEMPEST countermeasures are required when the facility contains equipment that will be processing National Security Information (NSI). Example: CENTRIXS, SIPRNET or JWICS Certified TEMPEST Technical Authority (CTTA) The CTTA has responsibility for conducting or validating TEMPEST reviews and recommending TEMPEST countermeasures 22 Unclassified: Secure Facilities and SpacesNovember 2016 Terms to Know Inspectable space: Inspectable Space is the three-dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and/or remove a potential TEMPEST exploitation exists.